Zoom, the online collaboration and teleconferencing application, has gained millions of new users almost overnight in response to remote work/school shifts prompted by COVID-19. But in the past week, he company has also been scrutinized by security researchers and government agencies with counterintelligence concerns.
Zoom is yet another application which we can add to our ever growing list of applications (TikTok being a recent addition) which have a clear counterintelligence threat when their underlying operational characteristics or infrastructure are better understood.
The counterintelligence issue with Zoom lays in the fact that the application routes the meeting encryption keys required by their home-grown encryption scheme to route through servers located in China.
Zoom’s privacy issues
The FBI issued their warning following multiple reports of online conferences being disrupted by third-party individuals.
“Zoombombing” is a new term referring to third-parties entering online meetings uninvited. It is made possible by the meeting host making the meeting public and then having the “meeting ID” compromised. Anyone with the application and ID can log into the meeting.
Zoom also faces the scrutiny of New York Attorney General Letitia James. In a letter to James, obtained by The New York Times, James noted how her office is “concerned that Zoom’s existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network”
The University of Texas – Austin President Greg Fenves sent out a tweet in which he acknowledged incidents of Zoombombing and that these were be investigated.
We are investigating the racist Zoom bombing of a meeting of UT students, staff & faculty. It was reprehensible. If the perpetrators are members of the UT community, they will be disciplined. We will also increase online security for all UT staff to prevent similar incidents.
— Greg Fenves (@gregfenves) March 31, 2020
The FBI urges, in their advisory, “exercising due diligence and caution in your cybersecurity efforts.” To that end, they make the following recommendations:
- Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
- Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
- Manage screensharing options. In Zoom, change screensharing to “Host Only.”
- Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
- Lastly, ensure that your organization’s telework policy or guide addresses requirements for physical and information security.
Additionally, the application came under fire for allegedly sharing user information with Facebook, without giving users the opportunity to opt-in. Amidst the cacophony of complaints, Zoom removed the tracking software which scraped the user information and made it available to Facebook.
Zoom’s counterintelligence threat
Cybersecurity researchers at Citizen Lab (University of Toronto) found that Zoom’s home-grown encryption scheme was flawed. Bill Marczak, a research fellow at the lab commented to the BBC, “Zoom has made the classic mistake of designing and implementing their own encryption scheme, rather than using one of the existing standards for encrypting voice and video content. To be sure, Zoom’s encryption is better than none at all, but users expecting their Zoom meetings to be safe from espionage should think twice before using the app to discuss sensitive information.”
The lab’s test calls showed that the encryption keys for meetings were transiting China.
While the UK’s National Cyber Security Center issued their statement saying “Zoom is being used to enable unclassified crisis COVID-19 communications in the current unprecedented circumstances. Assured services are in place for more sensitive communications and the provision of these services is being widened given the demands of much greater remote working.”
Further evidence of the Chinese hand within Zoom’s product can be found within Zoom’s own SEC Form 10-K filings submitted 20 March 2020 (pdf 102 pages). The filing indicates Zoom does in fact “operate research and development centers in China”, employing more than 700 employees as of January 31, 2020. The company goes on to highlight that these employees are the backbone of their product development team.
The rationale for placing the product development in China? “Personnel costs are less expensive.”
Zoom recognizes that their China choices place their product and company at risk, real or perceived, as evidenced by their inclusion of this phrase: “In addition, we have a high concentration of research and development personnel in China, which could expose us to market scrutiny regarding the integrity of our solution or data security features.”
In Zoom’s defense, CEO Eric Yuan published a blog post on April 1 outlining a number of specific steps the company would be taking to mitigate privacy and security concerns. Zoom also issued a post which explains the “encryption scheme” and steps back prior claims that the application provided end-to-end encryption. This post highlights the fact that Zoom has never implemented lawful intercept.
What it doesn’t say is have they provided to the Chinese government the knowledge which would allow that nation’s intelligence entities to engage in the decryption of meeting content given the encryption keys transit China.
Counterintelligence Safety Recommendation
If you are using Zoom for family purposes, follow the FBI recommendations.
Should you be using teleconferencing and multi-user meeting apps for educational purposes, use only those apps which are compliant with the Family Educational Rights and Privacy Act. New York City’s school’s 75,000 teachers who had transitioned online in mid-March 2020, were ordered by the city’s Department of Education Chancellor Richard Carranza, to move their virtual classrooms off the application as soon as possible citing security and privacy concerns.
If you are a government entity or contractor, unplug Zoom now. The counterintelligence threat posed by the application can’t be mitigated at your desk, especially when the “secure meeting” keys are transiting Chinese servers.